Over 750 Gandi domains compromised to lure visitors towards malware

Earlier today, French registrar and web host Gandi reported that approximately 750 of its domain names had been hijacked by unidentified perpetrator(s), who then diverted website traffic towards harmful applications. According to Gandi, the attacks began last week after the hacker managed to retrieve the login credentials of one of the registrar’s technical partners, who remain unnamed.

Once the hacker obtained unauthorized access to the technical partner’s web portal, modifications were made to the assigned name servers and the domains in question began to re-route users towards a website that hosts malware like the Ring Exploit Kit and the Neutrino Bot. Furthermore, hacking the technical partner’s web portal may have granted the attacker temporary control over domain names in 34 geographic TLDs, including .ASIA, .CH, .RU, .ES and .JP.

Swiss information security specialists SCRT was the first to raise an alarm over the issue, with a blog post from the company explaining:

Last Friday at around 14:05 we noticed that our website (www.scrt.ch) along with some other services we use internally were no longer accessible. We immediately tried to figure out why that was and quickly noticed that our DNS requests were not returning the correct IP addresses.

A detailed incident report from Gandi highlights the sequence of events, stating that the hacker’s activities went unnoticed for 4 hours until SCRT bought the suspicious changes to the registrar’s attention. Within an hour, Gandi’s technical team responded by resetting all existing logins and began work on damage limitation. Considering the delay in updating the DNS, Gandi admit that the domain names had been compromised for a duration ranging from 8 to 11 hours.